- Adobe Enterprise & Teams: Administration guide
- Plan your deployment
- Basic concepts
- Deployment Guides
- Deploy Creative Cloud for education
- Deployment home
- K-12 Onboarding Wizard
- Simple setup
- Syncing Users
- Roster Sync K-12 (US)
- Key licensing concepts
- Deployment options
- Quick tips
- Approve Adobe apps in Google Admin Console
- Enable Adobe Express in Google Classroom
- Integration with Canvas LMS
- Integration with Blackboard Learn
- Configuring SSO for District Portals and LMSs
- Add users through Roster Sync
- Kivuto FAQ
- Primary and Secondary institution eligibility guidelines
- Set up your organization
- Identity types | Overview
- Set up identity | Overview
- Set up organization with Enterprise ID
- Setup Azure AD federation and sync
- Set up Google Federation and sync
- Set up organization with Microsoft ADFS
- Set up organization for District Portals and LMS
- Set up organization with other Identity providers
- SSO common questions and troubleshooting
- Manage your organization setup
- Manage users
- Overview
- Administrative roles
- User management strategies
- Assign licenses to a Teams user
- In-app user management for teams
- Add users with matching email domains
- Change user's identity type
- Manage user groups
- Manage directory users
- Manage developers
- Migrate existing users to the Adobe Admin Console
- Migrate user management to the Adobe Admin Console
- Overview
- Manage products and entitlements
- Manage products and product profiles
- Manage products
- Buy products and licenses
- Manage product profiles for enterprise users
- Manage automatic assignment rules
- Entitle users to train Firefly custom models
- Review product requests
- Manage self-service policies
- Manage app integrations
- Manage product permissions in the Admin Console
- Enable/disable services for a product profile
- Single App | Creative Cloud for enterprise
- Optional services
- Manage Shared Device licenses
- Manage products and product profiles
- Get started with Global Admin Console
- Adopt global administration
- Select your organization
- Manage organization hierarchy
- Manage product profiles
- Manage administrators
- Manage user groups
- Update organization policies
- Manage policy templates
- Allocate products to child organizations
- Execute pending jobs
- Explore insights
- Export or import organization structure
- Manage storage and assets
- Storage
- Asset migration
- Reclaim assets from a user
- Student asset migration | EDU only
- Manage services
- Adobe Stock
- Custom fonts
- Adobe Asset Link
- Adobe Acrobat Sign
- Creative Cloud for enterprise - free membership
- Deploy apps and updates
- Overview
- Create packages
- Customize packages
- Deploy Packages
- Manage updates
- Adobe Update Server Setup Tool (AUSST)
- Adobe Remote Update Manager (RUM)
- Troubleshoot
- Manage your Teams account
- Renewals
- Manage contracts
- Reports & logs
- Get help
System Administrators can enable users to automatically create a federated account with the organization.
Adobe Admin Console, navigate to Settings, select a directory, and then select Authentication > Edit.
This feature is only available to Adobe enterprise customers who have set up one or more federated directories in the Admin Console.
Automatic account creation allows users without a federated account to automatically create one with their organization based on a verified email domain. When enabled for a federated directory, new users with a valid email domain of that directory will be able to create a federated account. Learn more about federated accounts.
Adobe strongly recommends you enable automatic account creation for the following benefits:
- Federated users can participate in sharing and collaboration flows with their org-owned account versus a personal account using an org-owned domain.
- Federated users can sign in securely via single sign-on.
- Automation speeds up the process of setting up users in your directory with little or no involvement from the administrator.
- Administrators can control the federated users' product licenses, cloud-stored assets, and sharing restrictions.
You can set up automatic assignment rules that assign products automatically to eligible users in your organization (or specified domains and directories) and enable product requests that allow end users to request access to products for administrator review.
User experience
When a user enters their email address to create an account, they are given a choice to create an account with their organization if the email address entered meets the following criteria:
- Has a valid email domain from the federated directory
- Is not associated with an existing Adobe account
The user should select Sign in under the Email address field and successfully authenticate with their organization’s single sign-on to complete the account creation. This triggers the flow of information from the identity provider to the Admin Console so that federated Adobe accounts are created automatically within the identified federated directory based on the user’s domain.
User accounts created through automatic account creation indicate the creation source in the User Details. Administrators can manage the accounts of any users added through automatic account creation, including removing them from the Users and Directory Users lists as needed. Administrators' actions are captured in the Audit Log report.
System Administrators can enable or disable automatic account creation per identity provider within each federated directory, allowing eligible users to get a federated account without any other action from an administrator.
The feature must be enabled by an administrator for an existing federated directory, while it is enabled by default for all new federated directories created in your Admin Console. Here's how you can edit existing directories to enable automatic account creation:
You can only enable automatic account creation for the federated domains that your organization owns and has claimed. Trustees of your federated directories cannot enable or disable automatic account creation.
-
Use the toggle to enable or disable automatic account creation for the identity provider.
If you disable automatic account creation for an identity provider, new users in your organization who have valid accounts with domains of that identity provider will no longer be able to create a federated account automatically. However, users who have already created a federated account will retain access to their account.
-
Select a default country from the dropdown menu in the Attribute mappings section.
The identity provider configuration with the Adobe Admin Console is created and owned by an organization and linked to the directory via federation. Adobe reads the first name, last name, email, and country to create accounts with appropriate attributes. Email is the only required attribute for account creation and all others are optional, though Adobe recommends including all attributes to distinguish users in the Admin console.
Adobe reads the following default values for user attributions from the federation token:
SAML Azure OIDC OIDC First name FirstName given_name given_name Last name LastName family_name family_name Email Email email email Country CountryCode ctry address.country The value mapped to the country field is populated in the user’s profile if shared from the organization’s directory. If no value is provided or the provided value isn't an Adobe-supported country, accounts will get provisioned without a country set by default. You also have the option to specify a default country that will get set on the user's profile in such cases instead. Learn more about federated directory setup.
-
You can also choose to update user information in Admin Console when users log in.
User attribute information can change in your directory after a federated Adobe account is created. You have the option to update user data in Adobe at sign-in by choosing the best option for your organization. The following options are available:
Don't update
User attribute information is not updated on user sign-in (default option).
Always update
User attribute information is always updated on user sign-in.
Update when not empty
Only non-empty user attribute information is updated on user sign-in. For example, if a user signs in and the organization’s directory shares an updated last name and no first name, only the last name will be updated to match the revised value and the first name will be preserved as the value already stored in the user’s Adobe account.
-
Note:
If an identity provider (IdP) or its parent directory is no longer active, automatic account creation is automatically disabled for the IdP. This change in status does not impact other IdPs within the federated directory, allowing automatic account creation to remain enabled with other active IdPs as needed.
Frequently asked questions
Where can users find the option to automatically create a federated account with my organization?
Users who don't already have an Adobe account will get the option to sign in with their SSO and auto-create a federated account when creating an account on the Adobe sign-in screen.
What benefits are available to users who automatically create an account with my organization?
Once a user has an account with their organization, that user can participate in collaboration and share workflows with other team members, as well as request access to products from their organization based on how the administrators have configured the automatic assignment rule and product request features.
What if I want to allow users to create other types of Adobe accounts automatically with my organization?
Currently, only federated accounts can be created automatically. A future phase of Zero Touch Administration will allow users to create other types of Adobe accounts with their organizations.
Can users who are not using a domain that my organization has claimed still have an account automatically created?
Only users who have an organization-provided account whose domain falls within the federated directory enabled for automatic account creation can create a federated account on-demand. The user must be able to successfully authenticate via single sign-on for account creation to be completed.
Does account creation automatically provide any product licenses to the user?
Automatic account creation only creates a new federated account for a user and does not automatically assign product licenses. A user can request access to Adobe products from their organization once they are a member based on how the administrators have configured the automatic assignment rule and product request features.
How do I remove a user from my Admin Console who automatically created their account?
Users who created a federated account on-demand can be removed from the organization by a System or User Administrator via the User List. Removing the user from the Directory User List will permanently delete their account and all license access.
Can users automatically create an account in a federated directory that has Azure or Google Sync configured?
A user can create an on-demand federated account in a directory where Azure or Google Sync has been configured. Once created, the user is under sync management, meaning their account cannot be edited via the Admin Console unless the sync is temporarily paused. If the user is added to the automated sync scope, their user information will be updated in their Adobe profile via the directory attribute mapping.
Will a user who already has a personal Adobe account under a domain my organization owns be presented with the option to create a new federated account under the same email address at sign-in?
Only users who are creating an account with their organization-owned domain will be offered the option to create a federated account on-demand. If a user is already using their org-owned email domain for personal use, they can choose to change the email address associated with the account, allowing them to create a federated account on-demand with their org-owned email domain.